Red Hat Product Errata RHSA-2019:1764 - Security Advisory

Issued:: 2019-07-11
Updated:: 2019-07-11

RHSA-2019:1764 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.8.0 ESR.

Security Fix(es):

Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 (CVE-2019-11709)
Mozilla: Sandbox escape via installation of malicious language pack (CVE-2019-9811)
Mozilla: Script injection within domain through inner window reuse (CVE-2019-11711)
Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (CVE-2019-11712)
Mozilla: Use-after-free with HTTP/2 cached stream (CVE-2019-11713)
Mozilla: HTML parsing error can contribute to content XSS (CVE-2019-11715)
Mozilla: Caret character improperly escaped in origins (CVE-2019-11717)
Mozilla: Same-origin policy treats all files in a directory as having the same-origin (CVE-2019-11730)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

BZ - 1728430 - CVE-2019-11709 Mozilla: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
BZ - 1728431 - CVE-2019-11711 Mozilla: Script injection within domain through inner window reuse
BZ - 1728432 - CVE-2019-11712 Mozilla: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects
BZ - 1728433 - CVE-2019-11713 Mozilla: Use-after-free with HTTP/2 cached stream
BZ - 1728434 - CVE-2019-11715 Mozilla: HTML parsing error can contribute to content XSS
BZ - 1728435 - CVE-2019-11717 Mozilla: Caret character improperly escaped in origins
BZ - 1728438 - CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
BZ - 1728439 - CVE-2019-9811 Mozilla: Sandbox escape via installation of malicious language pack

CVEs

References

https://access.redhat.com/security/updates/classification/#critical

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
firefox-60.8.0-1.el8_0.src.rpm	SHA-256: 588ceafb9fd33536f7c6ebbd6e97548276c7f6298768b6daff2d7ff7d9049bac
x86_64
firefox-60.8.0-1.el8_0.x86_64.rpm	SHA-256: bdd44de5dd15ffd72c8990cf9e83fa3016ee1d0422e2d0ac114c9e7711a011e1
firefox-debuginfo-60.8.0-1.el8_0.x86_64.rpm	SHA-256: 79c36e8e099f45a223da555b13610d99ca84fe4a5c7aa29cdaf9ada50bd008f1
firefox-debugsource-60.8.0-1.el8_0.x86_64.rpm	SHA-256: b2a7747562075b2b7c0dbe7eaf3d914597d30d00433ad98fe97cc28391c50ff8

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
firefox-60.8.0-1.el8_0.src.rpm	SHA-256: 588ceafb9fd33536f7c6ebbd6e97548276c7f6298768b6daff2d7ff7d9049bac
s390x
firefox-60.8.0-1.el8_0.s390x.rpm	SHA-256: 0cd8141db4fc8b993d699f2fafbab4508df769541d404bcdd7602e93c3f192d7
firefox-debuginfo-60.8.0-1.el8_0.s390x.rpm	SHA-256: ea9db71be1f1b221ea8675501bf2a7ee0590eec751d27cf92b02e88a9849e7fe
firefox-debugsource-60.8.0-1.el8_0.s390x.rpm	SHA-256: 3a1237605fd9f04a1f219a8f1c21666e09e0c6f4035cecf0ee3b0240a725ec34

Red Hat Enterprise Linux for Power, little endian 8

SRPM
firefox-60.8.0-1.el8_0.src.rpm	SHA-256: 588ceafb9fd33536f7c6ebbd6e97548276c7f6298768b6daff2d7ff7d9049bac
ppc64le
firefox-60.8.0-1.el8_0.ppc64le.rpm	SHA-256: 9ea3ab408a572e02c17daff441d39574703eb9be145e4387471c3e822880e6c1
firefox-debuginfo-60.8.0-1.el8_0.ppc64le.rpm	SHA-256: 42231dc5dadfbfacc8032b275d9be3d63e40aa3b9e3e18684d007135465f851b
firefox-debugsource-60.8.0-1.el8_0.ppc64le.rpm	SHA-256: 37753eaf2e97754aa56b54391120413336d9c698c066860314e812d5c5a35517

Red Hat Enterprise Linux for ARM 64 8

SRPM
firefox-60.8.0-1.el8_0.src.rpm	SHA-256: 588ceafb9fd33536f7c6ebbd6e97548276c7f6298768b6daff2d7ff7d9049bac
aarch64
firefox-60.8.0-1.el8_0.aarch64.rpm	SHA-256: 1717d58732e2e16a46b764838ec413483403b864eb84e9fead61052283f0e9d9
firefox-debuginfo-60.8.0-1.el8_0.aarch64.rpm	SHA-256: 517b658acb0b041ba2d9d506fe4c8508e060d2815344f815972b804f863c0a6d
firefox-debugsource-60.8.0-1.el8_0.aarch64.rpm	SHA-256: 1f319d4fcd6e76ae4308fc34aadd3843cf730adc5a2c39df00d68d5016dbb4b9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories